LTM setup question

Question

I'm trying to setup a LTM in my network and was curios on the design aspects. Here's mysetup. &nbsp;
Firewall ---&gt; Switch ( let's say port to firewall inside is on vlan 100) --&gt; IPS IN port is on VLAN 100 and so all traffic goes to IPS and gets inspected.. The inspected traffic from IPS returns back to switch on VLAN 200. &nbsp;
Now, the Servers that are getting load balanced ( They are on 5 different VLAN's) and the F5 LTM ( 2 of them) are connected to the same switch stack. AND HERE COMES MY QUESITON&nbsp;
A) Should i set up an VLAN External in the LTM as VLAN 200 ( the same vlan where the inspected traffic is coming in to switch) and that way the traffic enters in to the LTM for LB. I guess i need to create 5 different VLAN's for the Internal servers and put an VLAN floating IP on those VLAN's which will be used as gateway by the servers inside. &nbsp;
B) Since the F5 is gettign connected to the switch, should i just create a trunk from F5 to the switch ( with 3-4 ports in bundle) and pass both external VLAN and internal VLAN over that trunk ?? &nbsp;
C) I don't have a seperate management VLAN in the network. I just use one the existing VLAN's SVI for access. Should i create a seperate subnet and assign that for management IP for F5 ( and while i do that, do the same for switches as well). &nbsp;
Any help is appreciated. &nbsp;

greg_robinson_1 · Answer

Are you using the F5 inline or in one-armed mode? I use the F5 as a router/gateway for all my server VLANs, so I trunk the "VLAN 200" and all server VLANs to the F5. Then I use the F5 as the gateway to route all server traffic by creating an IP Forwarding VS to handle any non-VIP traffic. &nbsp;
I always use out of band management, as in-line increases your attack surface. I use an out-of-band management network for the F5s, then I create an HA VLAN on the F5s that is RFC1918 unrouted and only allow those HA self-IPs to process the clustering traffic by setting "allow-service default", setting all other self-IPs to "allow-service none". I also create an AFM policy that allow clustering traffic between the nodes and tie this policy to the HA self-IPs. Let me know if you want to see some sample configuration.&nbsp;

f5fanboy_182636 · Answer

HI 
I plan to use the F5 as gateway to servers. The LTM will be connected to the switch and what i plan to do is that the incoming traffic destined to the VIP address's will reach the switch and will be sent to a IPS device for inspection and will then be returned back to the switch on a VLAN 200 and i plan to create a port-channel to F5 and assign the port-channel to the same VLAN 200 and that way all incoming traffic will reach the LTM. In order for the LTM to reach the physical servers i plan to take 3-4 ports and create a port-channel and set it up as a trunk link to the switch in order to reach those server VLAN's.&nbsp;
I'm using LTM 2000s and i was wondering if there's a guideline on the number of ports to use per trunk. I mean i will have 2 LACP bundle. One for VLAN 200 to get the incoming traffic in to LTm adn the other is a Trunk link to reach all the Server VLAN's. should i have like 3 ports for the incoming port-channel in vlan 200 and rest of ports for the trunk to reach to servers ??? &nbsp;
So talking about VLAN's so, i'll need the following VLAN's if i go this correct. &nbsp;
A) Vlan 200 to connect to switch on a port-channel to receive traffic from Internet ( this will be external vlan) 
 B) The VLAN's that the servers are on -- I guess i need to create 4-5 nternal VLAN's and assign IP's to them and they'll be used as gateway for the servers. 
 C) Management Vlan - This is to gain access to LTM
 D) HA VLAN - since i've two LTM, i guess i'll need a seperate VLAN to set up HA as well. &nbsp;
I'd appreciate if you can validate the vlan requiremnts above. A sample config will be appreciated as that'll give me a good idea. &nbsp;

greg_robinson_1 · Answer

You could theoretically put VLAN 200 and the server VLANs on the same trunk. If you need to physically separate the pre and post F5 traffic, you'd then need separate trunks. I would recommend using at least two ports per physical F5 unit for redundancy. Anything after two really just depends on the bandwidth requirements. Extra capacity can be a great thing.&nbsp;
Yes, its best to use a separate VLAN for HA. I wouldn't even put an L3 gateway on that VLAN, just make it a /30 using RFC1918 and lock it down as I described.&nbsp;
You also need to check your switch for the load-balancing hash algorithm it uses for bundling links. Since you have all traffic coming from the firewall going to the F5 VIP(s), you want to avoid using any type of MAC-address-only hashing, otherwise your traffic is only going to use one of those links regardless of how many you have. Using a combination of source/destination IP or L4 port would be best, usually all four if possible (like Cisco's src-dst-ip-port if available.)&nbsp;
Best of luck!&nbsp;

Forum Discussion

LTM setup question

3 Replies

Win Big in Vegas: The iRules Contest is back with $5k on the line at AppWorld 2026

Jürgen - February 2026 Featured Member

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Random TCP Resets from F5

Base64 decoding issue (JSON request)

F5 i-series Guests to r-series tenants migration

Block specific URL's in APM

Sizing calculation storage

Related Content

LTM VE behind Sophos Firewall deployment - configuration/setup question

Less than 60 seconds lab setup

The State Of HTTP/2 Full Proxy With F5 LTM

How to Setup Shape Log Analysis in Fastly

UCS Encryption Question

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS